Firewall Rules

rcorradini · January 7, 2005, 2:55pm

I have a question about configured Firewall rules. I am tring to block specific IP’s from going out. I have a full class c or /24. When I put in for example 209.19.72.128 /24 in an output rule, it says bad source address. I want to prevent that address from going out!!! I thought I was doing it right from the documentation. Also, I would like to be able to do ip ranges. I have done other rules concerning ports without issue.

Please help!!

Robert Corradini
robc@netwatchtech.com

cmit · January 7, 2005, 4:47pm

In your example ip address and netmask don’t fit together. To block this single ip address you should use 209.19.72.128/32.

For blocking ranges, you could use subnetting (if that’s fitting your range needs). To block 209.19.72.0 to 209.19.72.127 you could use 209.19.72.0/25…

jarosoup · January 7, 2005, 4:48pm

You are telling the firewall to block the entire class C when you use /24 (this is your subnet) . Use a /32 to specify a single IP. Keep in mind that the output chain is for connections originating from the router, not the clients behind it. Instead, you’ll most likely want to block client IPs with the forward and possibly source nat chains, depending on how you’ve got your firewall setup (are you using nat and/or masquerading?)

Not sure how to do ranges other than a smaller subnet of your network. If you’ve got more IPs to block than there are to allow, block your whole subnet, then allow only those you want to get out.

rcorradini · January 8, 2005, 4:49am

Thanks for you help.

I didn’t releize about the subnetting.

Thanks,

Rob